A Honeypot can be used as a Network Security tool

August 15, 2012

What is a honeypot?

A honeypot is an isolated and vulnerable system that is deliberately kept in the network in order to attract attackers, study their method of attacks and protect the actual systems from being attacked. When used properly, honeypots can be part of an effective network security strategy of any big company. If you haven’t tried using a honeypot in your company, you should.

A honeypot can either be an emulator (software that emulates OS, applications and vulnerabilities) or it can be a system with real OS and applications installed in it. A honeypot can be created by using just one computer/server or a network of several systems. A single system hosting the honeypot emulator can also emulate an entire network (appear as various independent systems to outsiders).

What’s so unique about a honeypot?

Any network security system (UTM, IPS, etc) scans all incoming data for vulnerabilities. While this works for known attacks (that can be identified using signatures) and some unknown attacks, a lot of false positives are generated by such systems.

A honeypot, on the other hand, works in the reverse direction. It mimics IP addresses of systems that are not used in the network and keeps watching out for a probe or a scan to such IP addresses. If any system (either from inside or outside the network) is trying to communicate with non-existent IP addresses in a network, there is every reason to be suspicious of it.

Honeypots can emulate vulnerabilities, accept and respond to the probes sent by the attacker. Hence the attacker might be interested in learning more about that system and might probe further or launch an attack to take control of the system. In the process, all their activities are captured by the honeypot system and the network administrator is alerted about the same. Honeypot is an excellent tool to identify and analyze new attack tools as these tools are downloaded to systems that attackers think can be compromised.

What are the advantages and limitations of honeypots?

Honeypots are very simple to deploy and there is no complex configurations. There are many open-source based honeypot emulators available on the net. Even an old computer with minimum configuration can be used as a honeypot and they require a limited amount of memory. Logs are highly accurate and chances of false positives is very less. It is possible to discover new attack methods used by potential attackers and it is also possible to use the honeypot to divert and distract the attackers for a considerable amount of time.

Among the limitations, honeypots can only detect attacks but cannot prevent attacks. Not every attacker will interact with the honeypot and hence the chances of identifying attacks on the network might be limited. Also, there is a danger of the honeypot system being compromised by an experienced attacker and being used to reach other systems on the network.

Having become familiar with honeypots, we should also know about honeytokens. The concept is very old, but effective. Dictionaries in the past deliberately used wrong definitions at a few places in order to establish copying/plagiarism by other publishers. Similarly, administrators can plant false data (called honeytokens) along with legitimate data and monitor for their movement. For example, if credit card information is stored in a secure place, a false credit card number might be inserted somewhere among all the data and the network can be monitored only for that number. If that particular false credit card number is found moving around, there is a good chance that files holding it have been compromised. Thereupon, the administrator can start investigating further.

You could stay up to date on the various computer networking/enterprise IT technologies by subscribing to this blog with your email address in the sidebar box that says, ‘Get email updates when new articles are published’